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Chapter 1 




This Quick Start Guide for the ClearPass Policy Manager System (Policy Manager) describes the steps for installing the 
appliance using the Command Line Interface (CLI) and using the User Interface (UI) to ensure that the required 
services are running. 



Installing Policy Manager 

The Policy Manager server requires initial port configuration. 

Server Port Overview 

Policy Manager Backplane 

P — Power Button; A — Serial port; B — Management port; C — Data port 



iaa 



as described in the following table: 



Key Port Description 


A 


Serial 


Configures the Policy Manager 
appliance initially, via hardwired 
terminal. 


B-eth1 


Management (gigabit 
Ethernet) 


Provides access for cluster 
administration and appliance 
maintenance via web access, 
CLI, or internal cluster 
communications. 
Configuration required. 


C - eth2 


Data (gigabit Ethernet) 


Provides point of contact for 
RADIUS, TACACS+, Web 
Authentication and other data- 
plane requests. 
Configuration optional. If not 
configured, requests redirected to 
the management port. 



Server Port Configuration 

Before starting the installation, gather the following required information: 



Required Item 



Item Information 



Hostname (Policy Manager 
server) 
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Required Item Item Information 


Management Port IP 
Address 




Management Port Subnet 
Mask 




Management Port Gateway 




Data Port IP Address 
(optional) 


Data Port IP Address must not be in the same 
subnet as the Management Port IP Address 


Data Port Gateway 
(optional) 




Data Port Subnet Mask 
(optional) 




Primary DNS 




Secondary DNS 




NTP Server (optional) 





To set up the Policy Manager appliance: 

1. Connect and power on. 

Using the null modem cable provided, connect a serial port on the appliance to a terminal, then connect power and 
switch on. The appliance immediately becomes available for configuration. 

Use the following parameters for the serial port connection: 

Bit Rate: 9600 

Data Bits: 8 

Parity: None 

Stop Bits: 1 

Flow Control: None 

2. Login. 

Later, you will create a unique appliance/cluster administration password. For now, use the preconfigured 

credentials: 

login: appadmin 

password: eTIPS123 

This starts the Policy Manager Configuration Wizard. 

3. Configure the appliance. 

Replace the bolded placeholder entries in the following illustration with your local information: 
Enter hostname: hyperion.us.ariibanetworks.com 

Enter Management Port IP Address: 192.168.5.10 
Enter Management Port Subnet Mask: 255.255.255.0 
Enter Management Port Gateway : 192 . 168 . 5 . 1 
Enter Data Port IP Address: 192.168.7.55 
Enter Data Port Subnet Mask: 255.255.255.0 
Enter Data Port Gateway: 192.168.7.1 
Enter Primary DNS: 198.168.5.3 
Enter Secondary DNS: 192.168.5.1 
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4. Change your password. 

Use any string of at least six characters: 
New Password: ************ 
Confirm Password: ************ 

Going forward, you will use this password for cluster administration and management of the appliance. 

5. Change system date/time. 

Do you want to configure system date time information [y|n] : y 
Please select the date time configuration options. 

1) Set date time manually 

2) Set date time by configuring NTP servers 
Enter the option or press any key to quit: 2 
Enter Primary NTP Server: pool.ntp.org 
Enter Secondary NTP Server: time.nist.gov 

Do you want to configure the timezone? [y|n] : y 

Once the timezone information is entered, you are asked to confirm the selection. 

6. Commit or restart the configuration. 
Follow the prompts: 

y[Y] to continue 

n[N] to start over again 

q[Q] to quit 

Enter the choice: Y 

Successfully configured Policy Manager appliance 
************************************************************** 

* Initial configuration is complete. 

* Use the new login password to login to the CLI . 

* Exiting the CLI session in 2 minutes. Press any key to exit now. 

A Subset of Useful CLI Commands 

The CLI provides a way to manage and configure Policy Manager information. Refer to Appendix A: Command Line 
Interface in the User Guide for more detailed information on the CLI. 

The CLI can be accessed from the console using a serial port interface or remotely using SSH: 

************************************ 

* * 

* Aruba Networks Policy Manager 6.1.0.50361, Copyright 2006-2013, Aruba Networks Inc * 

* * 
***************************************************************************************** 
Logged in as group Local Administrator 

[appadmin@hyperion . us . arubanetworks . com] # 

The following subset of CLI commands may be useful at this point: 

To view the Policy Manager data and management port IP address, and DNS configuration: 
[appadmin] # show ip 
To reconfigure DNS or add a new DNS: 

[appadmin] # configure dns <primary> [secondary] [tertiary] 
To reconfigure or add management and data ports: 
[appadmin] # configure ip <mgmt | data > <ipadd> netmask <netmask address> gateway <gateway address> 

where: 
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Flag/Parameter Description 


ip <mgmt|data> <ip 
address> 


• Network interface type: mgmtov data 

• Server ip address. 


netmask <netmask 
address> 


Netmask address. 


gateway <gateway 
address> 


Gateway address. 



To configure the date (time and time zone optional): 

[appadmin] # configure date -d <date> [-t <time>] [-z <timezone>] 

To configure the hostname to the node: 

configure hostname <hostname> 

If you are using Active Directory to authenticate users, be sure to join the Policy Manager appliance to that domain 

as well. 

ad net join <domain-controller . domain-name> [domain NETBIOS name] 

where: 



Flag/Parameter Description 


<domain-controller. 
domain-name> 


Required. 

Host to be joined to the domain. 


[domain NETBIOS name] 


Optional. 
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Use Firefox 3.0 (or higher) or Internet Explorer 7.0.5 (or higher) to perform the following steps: 

1 . Open the administrative interface. 

Navigate to https://<hostname>/tips (where <hostname> is the hostname you configured during the initial 
configuration). 

2. Enter License Key. 

3. Click on the Activate Now link. 



You have 28 day(s) to activate the product 
n*n Activate Now 



Username: 
Password: 
User Type: 




I I 


i i 


® Local O Network 





4. Activate the product. 

If the appliance is connected to the Internet, click on the Activate Now button. If not, click on the Download 
button to download the Activation Request Token. Send an email to support@arubanetworks.com with the 
downloaded token as an attachment. Once you receive the Activation Key from Aruba, save it to a known location 
on your computer. Come back to this screen and click on the Browse button to select the Activation Key. Upload 
the key by clicking on the Upload button. 

The product is now activated. 



You have 87 day(s) to activate the product 



Online Activation 



Offline Activation 

If you are not connected to the Internet, you can download an Activation Request 
Token and obtain the Activation Key offline. 



Step 1. Download an Activation Request Token I 



Step 2 
Step 3. |~ 



Email the Activation Request Token to Aruba Networks Support 
(support@arubanetworks.com) 



Browse- 



Upload the Activation Key received from Aruba Networks Support 



Update License 



■IIJ.MJJIIJJ.LJJ 



5. Login. Username: admin, Password: eTIPS123 
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networks 



ClearPass Policy Manager 







Username: | 




Password: 


User Type: ® Local O Network 


IBB 




Launch *** ClearPass Insight application 



Copyright 2012 Aruba Networks. All rights 



ClearPass Policy Manager 5. 2. 0.42684 on CP-HW-SK platform 



6. Change the password. 

Navigate to Administration > Admin Users, then use the Edit Admin User popup to change the administration 
password. 

Admin Users 



Filter: User ID 



v contains Q 



# □ User ID __ 


Name 


Privilege Level 




1. □ admin 


Super Admin 


Super Administrator 








bhowing 1-1 oh 1 ^^^ff^^^WK^M 



User ID: 


|admin| 


Name: 


|Super Admin 


Password: 





Verify Password: 


1 


Privilege Level 


Super Administrate!" 


^fjJ EgrrgB 



Accessing Help 



The Policy Manager User Guide (in PDF format) is built within the help system here: 

https : //<hostname>/tipshelp/html/en/ 

(where <hostname> is the hostname you configured during the initial configuration.) 

All Policy Manager user interface screens have context-sensitive help. To access context-sensitive help, click on the 
Help link at the top right hand comer of any screen. 
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To check the status of service, navigate to Administration > Server Manager > Server Configuration, then click on 
a row to select a server: 

The System tab displays server identity and connection parameters. 

The Service Control tab displays all services and their current status. If a service is stopped, you can use its 



Start/Stop button (toggle) to restart it. 



System 1 Service Parameters System Monitoring Network 


Service Name Status Action 


1. AirGroup notification sen/ice Running ^ElE 




2. Async DB write service Running ^£2 




3. Async network services Running ^^^E 


^B 


4. DB change notification server Running BuS 


M 


5. DB replication service Running ^ElE 




6. Micros Fidelio FIAS Running ^^£ 




7. Multi-master cache Running ^^^S 




S. Policy server Running ^EIE 




9. Radius server Running Hb32 




10. System auxiliary services Running ^EI2 




11, System monitor service Running ^ES 




12. Tacacs server Running ^E32 




13. Virtual IP service Stopped ^B^iUHi 







You can also start an individual service from the command line, 

service start <service-name> 

or all services from the command line, 

service start all 

The Service Parameters tab allows you to change system parameters for all services. 

The System Monitoring tab allows you to configure SNMP parameters, ensuring that external MIB browsers can 
browse the system-level MIB objects exposed by the Policy Manager appliance. 

The Network tab allows you to view and create GRE tunnels and VLANs. 

The following three use cases illustrate the process of configuring Policy Manager for basic 802. lx, WebAuth, and 
MAC Bypass Services: 

• 802. lx Wireless Use Case on page 13 

• Aruba Web Based Authentication Use Case on page 19 

• MAC Authentication Use Case on page 25 
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The basic Policy Manager Use Case configures a Policy Manager Service to identity and evaluate an 802. IX request 
from a user logging into a Wireless Access Device. The following image illustrates the flow of control for this Service. 

Figure 1 Flow of Control, Basic 802. 1X Configuration Use Case 

Service 



Switch sends 802.1 X 
request- Policy 
Manager evaluates 
and returns 
connection control 
attributes 



SERVICE: 

A02.1X Wireless 



Policy Manager categorizes 
request by Service Type 



Authentication 
Source 



AUTH ENTIC ATKJN SOURCE : 

2 sources specified; Policy Manager 

authenticates requests against the 

sour cas In order of priority. 

Validate client identity against 
the specified source 



Posture 

Evaluation 



POSTURE SERVER: 
PS_NPS 



Evaluate posture; return 

"posture token " representing 

health 



Enforcement 
Profile 



ENFORCEMENT PROFILES: 

AllowAccess 
QsnyAcoaES 

Return connection attributes 
(representing assigned 
access) to the switch 



Authentication 
Method 



AUTHENTICATION METHOD: 

4 methods specified, illuslrating 

principle of list from wtiich methods 

are lasted by Policy Manager In order 

of priority 

Initiate authentication 
based on specified method 



Role Mapping 



ROLE MAPPING (using atttibulss 
frctn AUTHORIZATION SOURCES): 

RMP_DEPARTMENT 
(cllantidepaitmant mapping) 

Map client identity to rote 



Enforcement 
Poticy 



ENFORCEMENT POLICY: 
Ro4e_Ba5ad_Allow_Aocass_Polloy 

Based on posture token, rote. 

and system time, map client 

to an Enforcement Profile 



Configuring the Service 

Follow the steps below to configure this basic 802. IX service: 
1 . Create the Service 

The following table provides the model for information presented in Use Cases, which assume the reader's ability 
to extrapolate from a sequence of navigational instructions (left column) and settings (in summary form in the right 
column) at each step. Below the table, we call attention to any fields or functions that may not have an 
immediately obvious meaning. 

Policy Manager ships with fourteen preconfigured Services. In this Use Case, you select a Service that supports 
802. IX wireless requests. 
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Table 1 : 802. 1X - Create Service Navigation and Settings 



Navigation 



Create a new Service: 

• Services > 

• Add Service (link) > 



Settings 



Name the Service and select a pre- 

configured Service Type: 

• Service (tab) > 

Type (selector): 802. 1X Wireless > 
Name/Description (freeform) > 
Upon completion, click Next (to 
Authentication) 



Configuration » Services 

Services 



^ Add Service, 
& Import Services 
A Export Services 













1 Authentication Authorization Roles Posture Enforcement Audit Profiler 


Summary 




















Type: 


S02. IX Wireless 


"F 


Name: 


1 1 


Description: 


802. IX Wireless Access Service 




Monitor Mode: 


D Enable to monitor network access without enforcement 


More Options: S Authorization H Posture Compliance 


Audit End-hosts [3 Profile Endpoints 




Matches O ANY or (») ALL of the following conditions: 


Type 


Nairn ODer 


Value 










1. 


Radius: IETF NAS- Port-Type EQUALS 


Wireless- 802. 11 (19) 


% -r 


2. 


Radius:IETF Service-Type BELONGS_TO 


Login-User (1), Framed-User (2), 
Authenticate-Only (8) 


3a ar 


3. 


Click to add... 


















^ D>A *rv Eq „^ 































NOTE 



The following fields deserve special mention: 

Monitor Mode: Optionally, check here to allow handshakes to occur (for monitoring purposes), but without 
enforcement. 

Service Categorization Rule: For purposes of this Use Case, accept the preconfigured Service Categorization 
Rules for this Type. 

2. Configure Authentication. 

Follow the instructions to select [EAP FAST], one of the pre-configured Policy Manager Authentication Methods, 
and Active Directory Authentication Source (AD), an external Authentication Source within your existing 
enterprise. 

Policy Manager fetches attributes used for role mapping from the Authorization Sources (that are associated with the 
authentication source). In this example, the authentication and authorization source are one and the same. 
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Table 2: Configure Authentication Navigation and Settings 



Navigation Settings 


Select an Authentication Method 
and an Active Directory server (that 
you have already configured in 
Policy Manager): 

• Authentication (tab) > 

• Methods (Select a method from 
the drop-down list) 

• Add> 

• Sources (Select drop-down 
list): 

[Local User Repository] [Local 

SQL DB] 

[Guest User Repository] [Local 

SQL DB] 

[Guest Device Repository] 

[Local SQL DB] 

[Endpoints Repository] [Local 

SQL DB] 

[Onboard Devices Repository] 

[Local SQL DB] > 

[Admin User Repository] [Local 

SQL DB] > 

AmigoPod AD [Active 

Directory> 

• Add> 
















Service 1 


1 Authorization Roles | Posture 


Enforcement 


Audit Profiler Summary 




Authentication Methods: 


[EAP PEAP] 
[EAP FAST] 
[EAP TLS] 
[EAP TTLS] 


Move Up 


Add new Authentication Method 


Move Down 


Remove 


View Details 


Modify 




-Select to Add- [V 


Authentication Sources: 




Move Up 


Add new Authentication Source 


Move Down 


Remove 

View Details 

Modify 


-SelecttoAdd- [V 


Strip Username Rules: 


□ Enable to specify a comma-separated list 


af rules to strip 


username prefixes or suffixes 




















• Upon completion, Next (to 
configure Authorization) 











NOTE 



The following field deserves special mention: 

Strip Username Rules: Optionally, check here to pre-process the user name (to remove prefixes and suffixes) 
before sending it to the authentication source. 

To view detailed setting information for any preconfigured policy component, select the item and click View Details. 

3. Configure Authorization. 

Policy Manager fetches attributes for role mapping policy evaluation from the Authorization Sources. In this use 
case, the Authentication Source and Authorization Source are one and the same. 

Table 3: 802. 1X - Configure Authorization Navigation and Settings 



Navigation 



Settings 



• Configure Service level authorization 
source. In this use case there is nothing 
to configure. Click the Next button. 
Upon completion, click Next (to Role 
Mapping). 



Service Authentication 



Authorizac 



Posture Enforcement Audit Profiler 



r ces from which role mapping attributes are fetched (fc 
Authentication Source Attributes Fetched From 

-ocal User Repository] [Local SQL DB] 



Additional authorization s 





Remove | 


| 


Modify 


--SelecttoAdd-- p 





[Local User Repository] [Local SQL DB] 
from which to fetch role-mapping attribut 



Add new Authentication Source 



Back to Services 



4. Apply a Role Mapping Policy 
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Policy Manager tests client identity against role-mapping rules, appending any match (multiple roles acceptable) to 
the request for use by the Enforcement Policy. In the event of role-mapping failure, Policy Manager assigns a 
default role. 

In this Use Case, create the role mapping policy RMPDEPARTMENT that distinguishes clients by department and 
the corresponding roles ROLEENGINEERING and ROLEFINANCE, to which it maps: 

Table 4: Role Mapping Navigation and Settings 



Navigation 



Settings 



Create the new Role Mapping Policy: 
Roles (tab) > 
Add New Role Mapping Policy (link) > 





Service Authentication 


Authorization 


KiJ 


Posture Enforcement 


Audit Profiler Summary 


Role Mapping Policy: 


-Select- 




| a | Modify | 


Add new Role Mappina Policy 


















Default Role: 


Rules Evaluation Algorithm: 


















r i ii in ~ <iui " inm iwi irrrni 


Laa mom waamm 



Add new Roles (names only): 

Policy (tab) > 

Policy Name (freeform): ROLE_ 

ENGINEER > 

Save (button) > 

Repeat for ROLE_FINANCE > 
• When you are finished working in the 

Policy tab, click the Next button (in the 

Rules Editor) 



Configuration » Identity » Role Mappings » Add 

Role Mappings 

Mapping Rules Summary 



Policy Name: 
Description: 



|RMP_DEPARTMENT 



Add new Role 



Bac 



|ROLE_FINANCE 



Name: 
Description: 



|RQLE_ENGINEER| 



Create rules to map client identity to a 

Role: 

Mapping Rules (tab) > 

Rules Evaluation Algorithm (radio 

button): Select all matches > 

Add Rule (button opens popup) > 

Add Rule (button) > 

Rules Editor (popup) > 

Conditions/ Actions: match Conditions 

to Actions (drop-down list) > 

Upon completion of each rule, click the 

Save button ( in the Rules Editor) > 

When you are finished working in the 

Mapping Rules tab, click the Save 

button (in the Mapping Rules tab) 



Configuration » Identity » Role Mappings » Add 

Role Mappings 



Summary 



Policy 

Rules Evaluation Algorithm: O Select first match Select all matches 
Role Mapping Rules: 

Conditions 
1 . (Authorization : AD : departi 



CONTAINS engineer) 
2. (Authorization: AD: department CONTAINS finance) 



Role Name 

Role_Engineer 
ROLE_FINANCE 



Edit Rule | Remove Rule | 



Matches ® ANY or O ALL of the following conditions: 










2. 


Authorization: AD department 


CONTAINS 




% ffl 


Click to add... 




-~ : : ,-W 
[Guest]" 
[Other] 

[TACACS API Admin] 
[TACACS Help Desk] 
[TACACS Network Admin] 
[TACACS Read-only Admi 
[TACACS Receptionist] 
[TACACS SuperAdminl 



" Back to Role Mappings 



16 



ClearPass Policy Manager 6.1 | Quick Start Guide 



Navigation 



Settings 



Add the new Role Mapping Policy to the 
Service: 

Back in Roles (tab) > 

Role Mapping Policy (selector): RMP_ 

DEPARTMENT > 

Upon completion, click Next (to 

Posture) 



Service Authentication Authorization 



Audit Enforcement Summary 



Role Mapping Policy: 

■ JJ111IUJJJJJ1 



|RMP_DEPAF" E\~ 



Add new Role Mapping Policy 



Description: 

Default Role: [Guest] 

Rules Evaluation Algorithm: evaluate-all 
Conditions 



1. (Authorization:AD:department CONTAINS engineer) Role_Engineer 

2. (Authorization:AD:department CONTAINS finance) ROLE_FINANCE 



Back to Services 



NOTE 



5. Configure a Posture Server 



For purposes of posture evaluation, you can configure a Posture Policy (internal to Policy Manager), a Posture Server 
(external), or an Audit Server (internal or external). Each of the first three use cases demonstrates one of these options; 
here, the Posture Server 



Policy Manager can be configured for a third-party posture server, to evaluate client health based on vendor-specific 
credentials, typically credentials that cannot be evaluated internally by Policy Manager (that is, not in the form of 
internal posture policies). Currently, Policy Manager supports the following posture server interface: Microsoft NPS 
(RADIUS). 

Refer to the following table to add the external posture server of type Micrsoft NPS to the 802. IX service: 

Table 5: Posture Navigation and Settings 



Navigation 



Setting 



Add a new Posture Server: 
Posture (tab) > 
Add new Posture Server (button) 



Service Authentication Authorization 


Roles 1 1 Enforcement 


Audit Profiler Summary 


Posture Policies: 


Posture Policies: 










Remove 


View Details 


Modify 




-Select to Add- 


h 




Default Posture Token: 










| UNKNOWN (100) 


H 


Remediate End-Hosts: 


Enable auto-rems 


diation of non-compliant end-hosts 




Remediation URL: 


I I 


Posture Servers: 


Posture Servers: 










Remove 


View Details 


Modify 




-Select to Add- 


F 










Back to Services 







Configure Posture settings: 
Posture Server (tab) > 
Name (freeform): PS_NPS 
Server Type (radio button): 
Microsoft NPS 

Default Posture Token (selector): 
UNKOWN 

• Next (to Primary Server) 



Primary Server Backup Server Summary 



Name: 
Description: 



Server Type: 

Default Posture Token: 



'$' Microsoft NPS 



UNKNOWN (100) 



Back to Services 
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Navigation 



Setting 



Configure connection settings: 
Primary/ Backup Server (tabs): 
Enter connection information for 
the RADIUS posture server. 
Next (button): from Primary Server 
to Backup Server. 
To complete your work in these 
tabs, click the Save button. 





Posture Server | Backup Server Summary 


RADIUS Server Name: 


RADIUS Server Port: 


^\ (default is 1812) 


Shared Secret: 


ZJ Verify: Q 


Timeout: 


\5 | seconds 




4£ Back to Services 


IBB ESI IBI 



Add the new Posture Server to the 

Service: 

• Back in the Posture (tab) > 
Posture Servers (selector): PS_ 
NPS, then click the Add button. 
Click the Next button. 



Service Authentication Authorization 


Roles 1 


Enforcement 


Audit Profiler Summary 


Posture Policies: 


Posture Policies: 








Add new Posture Policy 




Remove 


View Details 


Modify 


-Select- 


□ 


Add 








Default Posture Token: 










| UNKNOWN [100) 


m 


Remediate End-Hosts: 


D Enable auto-remed 


ation of non-compliant 


end-hosts 




Remediation URL: 


I I 


Posture Servers: 


Posture Servers: 








Add new Posture Server 


PS_NPS [RADIUS] 




Remove 


View Details 


Modify 


-Select 


Q 


Add 










Back to Services 






BBESim 



6. Assign an Enforcement Policy 

Enforcement Policies contain dictionary -based rules for evaluation of Role, Posture Tokens, and System Time to 
Evaluation Profiles. Policy Manager applies all matching Enforcement Profiles to the Request. In the case of no 
match, Policy Manager assigns a default Enforcement Profile. 

Table 6: Enforcement Policy Navigation and Settings 



Navigation 



Setting 



Configure the Enforcement 

Policy: 

Enforcement (tab) > 
Enforcement Policy 
(selector): Role_Based_ 
Allow_Access_ Policy 



Service Authentication Roles Posture 



Audit Profiler Summary 



Use Cached Results: EH Use cached Roles and Posture attributes from previous sessions 

Enforcement Policy | [Samp le Allow Access Policy] [7| ^JgE^J 



Add new Enforcement Policy 



Description: Sample policy to allow network access 

Default Profile: [Allow Access Profile] 

Rules Evaluation Algorithm: evaluate-all 

Conditions 



(Date:Day-of-Week BELONGS_TO Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, 



Sunday) 



[Allow Access Profile] 



Back to Services 



For instructions about how to build such an Enforcement Policy, refer to "Configuring Enforcement Policies" in the 
ClearPass Policy Manager User Guide. 

7. Save the Service. 

Click Save. The Service now appears at the bottom of the Services list. 
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Chapter 5 



juba Web Based Authenticate 



This Service supports known Guests with inadequate 802. IX supplicants or posture agents. The following figure 
illustrates the overall flow of control for this Policy Manager Service. 

Figure 2 Flow-of-Control of Web-Based Authentication for Guests 



Request from a client 

without adequate posture 

agent or supplicant. 

Client is redirected to Aruba 

Web Portal to capture 

uaemarne/password and 

evaluate posture. 

Policy Manager processes 

req uest; returns access 
control attributes to switch. 



Service 



Posture 
Evaluation 



Enforcement 
Profile 



SERVICE: 

Aruba Web Based Authentication 



eTfPS categorizes request by 
Service Type 



Authentication 
Source 



AUTHENTICATION SOURCE: 

LocBf_U3er Repvsitory 

Validate client identity against 
the specified source 



POSTURE POLICY: 

IPP_UNIVERSAL 



Evaluate pasture; return 

"posture token" representing 

health 



ENFORCEMENT POUCY: 

Giie5t_Lifwtetf 
Gusst_FulS 

Return connection attributes 
(representing assigned 
access) to the switch 



Authentication 
Method 




Role Mapping 



ROLE MAPPING (using attributes 

from AUTHORIZATION SOURCE or 

using built-in Guest role) 

Map client identity to role 



Enforcement 
Policy 



ENFORCEMENT POLICY: 

SNMP_POLICY 

Based on posture token, 

rolea, and system time, msp 

ciient to an Enforcement 

Profife 



Configuring the Service 

Perform the following steps to configure Policy Manager for WebAuth-based Guest access. 

1 . Prepare the switch to pre-process WebAuth requests for the Policy Manager Aruba WebAuth service. 

Refer to your Network Access Device documentation to configure the switch such that it redirects HTTP requests 
to the Aruba Guest Portal , which captures usemame and password and optionally launches an agent that returns 
posture data. 

2. Create a WebAuth-based Service. 
Table 7: Service Navigation and Settings 



Navigation Settings 


Create a new Service: 

• Services > 

• Add Service > 














£*J& Add Service s 

Services & Import Services 

£ Export Services 
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NOTE 



Navigation 



Name the Service and 
select a pre-configured 
Service Type: 

• Service (tab) > 

• Type (selector): 
Aruba Web-Based 
Authentication > 
Name/Description 
(freeform) > 
Upon completion, 
click Next. 



Settings 



Configuration » Services » Add 

Services 



Authentication Authorization Roles Posture Enforcement Summary 



« 



Type: 

Name: 
Description: 

Monitor Mode: 
More Options: 



Web-based Authentication 



33 



C 



Web Based Authentication for Guests 



CH Enable to monitor network access without enforcement 
Authorization S Posture Compliance 



IWIWff 



Matches O ANY or '£' ALL of the following conditions: 

Type Name Operator 



Host 

Click to add.. 



CheckType 



MATCH ES_ANY 



Authentication 



% ffl 



Back 



to Services 



3. Set up the Authentication. 

a. Method: The Policy Manager WebAuth service authenticates WebAuth clients internally. 

b. Source: Administrators typically configure Guest Users in the local Policy Manager database. 

4. Configure a Posture Policy. 

For purposes of posture evaluation, you can configure a Posture Policy (internal to Policy Manager), a Posture Server 
(external), or an Audit Server (internal or external). Each of the first three use cases demonstrates one of these options. 
This use case demonstrates the Posture Policy. 



As of the current version, Policy Manager ships with five pre-configured posture plugins that evaluate the health of 
the client and return a corresponding posture token. 

To add the internal posture policy IPPUNIVERSALXP, which (as you will configure it in this Use Case, checks 
any Windows XP clients to verity the most current Service Pack). 

Table 8: Local Policy Manager Database Navigation and Settings 



Navigation 



Select the local Policy Manager 

database: 

Authentication (tab) > 
Sources (Select drop-down list): 
[Local User Repository] > 
Add> 

Strip Username Rules (check box) > 
Enter an example of preceding or 
following separators (if any), with the 
phrase "user" representing the 
username to be returned. For 
authentication, Policy Manager strips 
the specified separators and any 
paths or domains beyond them. 
Upon completion, click Next (until you 
reach Enforcement Policy). 



Settings 



Authentication Sources: 



Strip Username Rule 



■SelecttoAdd-- 
Enable ti 




:ation Source 



..3-i" 



e precedes domain name, use us 
Otherwise, use <separator>:user (e.g., \:u 



r:<separator> (e.g., l 



< Back to Services 
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Table 9: Posture Policy Navigation and Settings 



Navigation 



Create a Posture 

Policy: 

Posture (tab) > 
Enable Validation 
Check (check 
box)> 

• Add new Internal 
Policy (link) > 



Setting 





Service Authentication Authorization 


Roles 1 Enforcement 


Summary 


Posture Policies: 


Posture Policies: 








Add new Posture Policy 




Remove 


View Details 


Modify 




-Select to Add- 


ZE 








Default Posture Token: 










| UNKNOWN [100) 


H 


Remediate End-Hosts: 


□ Enable auto-remediation of non-compliant end-hosts 




Remediation URL: 


1 


Posture Servers: 


Posture Servers: 








Add new Posture Serve 




Remove 


View Details 


Modify 




-Select to Add- 


ZE 










%. Back to Services 




EggUEBI 



Name the Posture 
Policy and specify a 
general class of 
operating system: 
• Policy (tab) > 
Policy Name 
(freeform): IPP_ 
UNIVERSAL > 
Host Operating 
System (radio 
buttons): 
Windows > 
When finished 
working in the 
Policy tab, click 
Next to open the 
Posture Plugins 
tab 



Configuration » Posture » Posture Policies » Add 

Posture Policies 



Posture Plugins 






Policy Name: 
Description: 



IPP_UNIVERSAL 



Policy to check health of Windows XP 
endpoints 



Posture Agent: 

Host Operating System: 



O NAP Agent OnGuard Agent (Persistent or Dissolvable) 
Windows O Linux Mac OS X 



Back to Services 



Select a Validator: 
Posture Plugins 
(tab) > 

Enable Windows 
Health System 
Validator > 

• Configure 
(button) > 



Policy ■ 1 Rules Summary 


Select one/more plugins: 


Plugin Name 


Plugin Configuration 


Status 


□ 


ClearPass Windows Universal System Health Validator 


Configure | View 


- 


11 


Windows System Health Validator 


M.UUIIIM View 


Not Configured 


□ 


Windows Security Health Validator 


Configure | View 


1 - 




<B* 






- - ■ 






mSSm wmm LmuM 
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Navigation 



Setting 



Configure the 

Validator: 

Windows System 
Health Validator 
(popup) > 
Enable all 
Windows 
operating 
systems (check 
box) > 

Enable Service 
Pack levels for 
Windows 7, Vista, 
XP Server 2008, 
Server 2008 R2, 
and Server 2003 
(check boxes) > 
Save (button) > 
When finished 
working in the 
Posture Plugin 
tab click Next to 
move to the Rules 
tab) 





Client computers can connect to your network, subject to the following checks - 
Windows 7 


= 


Windows 7 clients are allowed 


[H Restrict clients which have Service Pack less than | 


Windows Vista 


Windows Vista clients are allowed 


D Restrict clients which have Service Pack less than 


S Windows XP 

Windows XP clients are allowed 


EU Restrict clients which have Service Pack less than 


Windows Server 200S 


Windows Server 2008 clients are allowed 


O Restrict clients which have Service Pack less than 


Windows Server 2008 R2 


Windows Server 2008 R2 clients are allowed 


□ Restrict clients which have Service Pack less than 


Windows Server 2003 

Windows Server 2003 clients are allowed 


M EHEBI 



Set rules to correlate 
validation results with 
posture tokens: 
Rules (tab) > 
Add Rule (button 
opens popup) > 
Rules Editor 
(popup) > 
Conditions/ 
Actions: match 
Conditions(Select 
Plugin/ Select 
Plugin checks) to 
Actions (Posture 
Token)> 
In the Rules 
Editor, upon 
completion of 
each rule, click 
the Save button > 
When finished 
working in the 
Rules tab, click 
the Next button. 



Posture Plug ins 



Rules Evaluation Algorithm: First applicable 

Conditions 

Passes all SHV checks - 

Windows System Health Validator 
Fails one or more SHV checks - 

Windows System Health Validator 






Posture Token 



HEALTHY 
QUARANTINE 



Move Up | Move Down | 



Edit Rule | Remove Rule | 



Select Plugin Checks: | Passes all SHV checks 

Select Plugins: □ Windows System Health Validator 



Posture Token: 



HEALTHY (0) 



4 Back to Services 
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Navigation 



Add the new Posture 
Policy to the Service: 
Back in Posture (tab) 

> 

Internal Policies 
(selector): IPP_ 
UNIVERSAL_XP, 

then click the Add 
button 



Setting 





Service Authentication Authorization 


Roles | 










Posture Policies: 


Posture Policies: 








Add new Posture Policy 


ld:ftlJ£IHd332V^H 








-Select- 


ZE 


Add 








Default Posture Token: 










| UNKNOWN (100) 


ZE 


Remediate End-Hosts: 


Zl Enable auto-remediation of non-compliant end-hosts 


Remediation URL: 


1 


Posture Servers: 


Posture Servers: 








Add new Posture Server 




Remove 


View Details 


Modify 


-Select 


ZE 


Add 













NOTE 



The following fields deserve special mention: 

Default Posture Token. Value of the posture token to use if health status is not available. 

Remediate End-Hosts. When a client does not pass posture evaluation, redirect to the indicated server for 
remediation. 

Remediation URL. URL of remediation server. 

5. Create an Enforcement Policy. 

Because this Use Case assumes the Guest role, and the Aruba Web Portal agent has returned a posture token, it 
does not require configuration of Role Mapping or Posture Evaluation. 

The SNMP_POLICY selected in this step provides full guest access to a Role of [Guest] with a Posture of Healthy, and 
limited guest access. 



Table 10: Enforcement Policy Navigation and Settings 



Navigation 



Add a new Enforcement 

Policy: 

Enforcement (tab) > 
Enforcement Policy 
(selector): SNMP_ 
POLICY 

• Upon completion, click 
Save. 



Setting 



Service Authentication Authorization Roles Posture 



Use Cached Results: 
Enforcement Policy: 



Use cached Roles and Posture attributes from previous sessions 

Add new Enforcement Policy 



SNMP Policy 



Description: 

Default Profile: Restricted SNMP VLAN 

Rules Evaluation Algorithm: evaluate-all 

Conditions 

(Tips:Role EQUALS Guest) 

AND (Tips: Posture EQUALS HEALTHY (0)) 



Enforcement Profiles 



Restricted SNMP VLAN 



Back 



to Services 



6. Save the Service. 

Click Save. The Service now appears at the bottom of the Services list. 
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Chapter 6 



.AC Authenticai 



This Service supports Network Devices, such as printers or handhelds. The following image illustrates the overall flow 
of control for this Policy Manager Service. In this service, an audit is initiated on receiving the first MAC 
Authentication request. A subsequent MAC Authentication request (forcefully triggered after the audit, or triggered 
after a short session timeout) uses the cached results from the audit to determine posture and role(s) for the device 



Figure 3 Flow -of -Control of MAC Authentication for Network Devices 



Note regarding color coding; This service {optionally) gainers Information via Audit Server on the first pass, lhan re- 

aulhenllcates tha client after a short session timeout; on the second pass, It re-authentlcates, allowing Policy Manager to 

use Role and Posture information from cache, to perform Enforcement 



Switch falls back to MAC 
authentication request (or 
602.1 X failure) to Pol icy 
Manager with MAC address. 



Service 



SERVICE: 

Mac Aurtri Bypass 

Policy Manager categorizes 
request by Service Type 



Authentication 
Method 



Authentication 
Source 




authentication source: Role Mapping 

For MAC Bypass, one option is a ^^^^^^^^^^^^^^^^^^^^^^ 

Sialic Hosts List (SHL), or can be 

any other supported -■■- -- 

authentication source .. ^ ROLE MAPPING (optional): 

P; | e infarrnation fou nd in cache on 

I second pass; on first pass, Role Mapping 

optional (otherwise, skip to audit server) 




POSTURE: 
Posture information found in cache on 

second pass, if audit performed by 
NESSLJS server; on first pass, skip to 



Audit Server 

AUDIT SERVER (optional): 

Nessus or NMAP audit with post-audit 

rules; cache the results. 

On second pass, after Authentication, 

skip to EnforcemanL 

Test Posture; Evaluate Rote 



Enforcement 
Profile 



ENFORCEMENT PROFILE: 

VL AKI_EN FO RCEMENT_QLJ ARAN I IN E 
VLAN_EN FORCE ME NT_FU LL_ACCESS 

Return connection attributes 
(representing assigned 
access) to the switch 



ENFORCEMENT POUCY: 

Role_Based_Acces3_PcJicy 

Based on posture token, ^ 

rotes, and system time, map 

client to an Enforcement 

Profile 

Enforcement 
Policy 



Configuring the Service 



Follow these steps to configure Policy Manager for MAC-based Network Device access. 
1. Create a MAC Authentication Service. 
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Table 11: MAC Authentication Service Navigation and Settings 



Navigation 



Create a new Service: 
• Services > 

Add Service (link) > 



Settings 



Name the Service and select 

a pre-configured Service 

Type: 

• Service (tab) > 

Type (selector): MAC 

Authentication > 

Name/Description 

(freeform) > 

Upon completion, click 

Next to configure 

Authentication 



Configuration * Services 

Services 



^ Add ServiceJ ^ 
A Impo rt Services 
A Export Services 



Configuration x> Services » Add 

Services 




1 Authentication Authorization Roles Enforcement Audit Profiler Summary 






Type: MAC Authentication 


Name: 


Description: 


MAC-based Authentication service 




Monitor Mode: D Enable to monitor network access without enforcement 


More Options: Authorization Audit End-hosts Profile Endpoints 


Matches O ANY or ALL of the following conditions: 


Type Name Operator Value 


1. 


n -j- .. .. ...^ „ _*. T ni-i ^m^f- -i-^ Ethernet (15), Wireless- ~ _ 

Radius: IETF NAS- Port- Type BELONGS_TO , v , Jf Rl if 


2. 


Radius:IETF Service-Type EQUALS Call-Check (10) Hi ffl 


3. 


Connection Client-Mac-Address EQUALS %-fRadius: IETF: User- Name} Hfe) ffl 


4. 


Click to add... 












< Back to Services IfflWM IBBl IS1 



2. Set up Authentication 

Note that you can select any type of authentication/authorization source for a MAC Authentication service. Only a 
Static Host list of type MAC Address List or MAC Address Regular Expression shows up in the list of 
authentication sources (of type Static Host List). Refer to "Adding and Modifying Static Host Lists" in the 
ClearPass Policy Manager User Guide for more information. You can also select any other supported type of 
authentication source. 

Table 12: Authentication Method Navigation and Settings 



Navigation 



Select an Authentication Method and 
two authentication sources - one of 
type Static Host List and the other of 
type Generic LDAP server (that you 
have already configured in Policy 
Manager): 

Authentication (tab) > 

Methods (This method is 

automatically selected for this type 

of service): [MAC AUTH] > 

Add> 

Sources (Select drop-down list): 

Handhelds [Static Host List] and 

Policy Manager Clients White List 

[Generic LDAP] > 

Add> 
• Upon completion, Next (to Audit) 



Settings 



Authorization 



Authentication Methods: 



Authentication Sources: 



[MAC-AUTH] 




Move Up 


Move Down 


Remove 


View Details 


Modify 




-Select- 


D 


Add 












Move Up 




Move Down 


BB 


-Select- 


D 


Add 



Add new Authentication Method 



Add new Authentication Source 



Strip Username Rules: B Enable to specify a 

* Back to Services 



a-separated list of rules to strip 



3. Configure an Audit Server. 
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This step is optional if no Role Mapping Policy is provided, or if you want to establish health or roles using an 
audit. An audit server determines health by performing a detailed system and health vulnerability analysis 
(NESSUS). You can also configure the audit server (NMAP or NESSUS) with post-audit rules that enable Policy 
Manager to determine client identity. 

Table 13: Audit Server Navigation and Settings 



Navigation Settings 


Configure the Audit Server: 

• Audit (tab) > 

• Audit End Hosts (enable) > 

• Audit Server (selector): NMAP 

• Trigger Conditions (radio 
button): For MAC 
authentication requests 

• Reauthenticate client (check 
box): Enable 














Service Authentication Authorization Roles Enforcement | | Profiler Summary 


Audit Server: 


([NmapAudrt] UHflffliHMHnRM Add new Audit Server 


Audit Trigger Conditions: 


'.•' Always 

•.' When posture is not available 
'* For MAC authentication request 
O For known end- hosts only 
O For unknown end- hosts only 
® For all end-hosts 


Action after audit: 


No Action 
® Do SNMP bounce 
O Trigger RADIUS CoA action 




^ Back to Services BfflHU BSPffiB KHffiHB 









Upon completion of the audit, Policy Manager caches Role (NMAP and NESSUS) and Posture (NESSUS), then 
resets the connection (or the switch reauthenticates after a short session timeout), triggering a new request, which 
follows the same path until it reaches Role Mapping/Posture/ Audit; this appends cached information for this client 
to the request for passing to Enforcement. Select an Enforcement Policy. 

4. Select the Enforcement Policy Sample _Allow_Access_Policy: 

Table 14: Enforcement Policy Navigation and Settings 



Navigation 



Select the Enforcement Policy: 
Enforcement (tab) > 
Use Cached Results (check 
box): Select Use cached Roles 
and Posture attributes from 
previous sessions > 

• Enforcement Policy (selector): 
UnmanagedClientPolicy 
When you are finished with your 
work in this tab, click Save. 



5. 



Setting 



Authentication 



Authorization 



Summary 



Use Cached Results: 
Enforcement Policy: 



iyj Use cached Roles and Posture attributes from previous sessions 

| Unma ngedClientPolicy Q ^HQI^H Add new Enforcement Policy 



Description: 



Enforcement Policy for Unmanaged Clients 



Default Profile: [Deny Access Profile] 

Rules Evaluation Algorithm: first-applicable 

Conditions 



1. (Tips:Role EQUALS Printers) 

2. (Tips:Role EQUALS IP Phones) 

3. (Tips:Role EQUALS Handhelds) 

4. (Tips:Role EQUALS Role_Engineer) 

5. (Tips:Role EQUALS eTIPS_Guest) 

6. (Tips:Role EQUALS Unknown Client) 



Enforcement Profiles 

WIRELESS_EMPLOYEE_NETWORK 

WTRELESS_EMPLOYEE_NETWORK 

WTRELESS_GUEST_NETWORK 

WIRELESS_EMPLOYEE_NETWORK 

WTRELESS_GUEST_NETWQRK 

W I RE LE S S_CAPTIVE_N ET WORK 



■4 Ba ck to Se rvi ce s 



Unlike the 802. IX Service, which uses the same Enforcement Policy (but uses an explicit Role Mapping Policy to 
assess Role), in this use case Policy Manager applies post-audit rules against attributes captured by the Audit Server 
to infer Role(s). 

Save the Service. 

Click Save. The Service now appears at the bottom of the Services list. 
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